The Session Initiation Protocol (SIP) and Spam
draft-ietf-sipping-spam-05
Yes
(Jon Peterson)
No Objection
(Lars Eggert)
(Magnus Westerlund)
(Mark Townsley)
(Ron Bonica)
(Ross Callon)
(Tim Polk)
Recuse
(Cullen Jennings)
Note: This ballot was opened for revision 05 and is now closed.
Chris Newman Former IESG member
(was Discuss)
Yes
Yes
(2007-05-24)
Unknown
This is an important document and I believe it would benefit the community to have this published soon. However, this document repeatly makes the mistake of being too authoritative in an area which is more of a research problem space. As a result, it includes several statements that are factually incorrect or execessively authoritative. This weakens the document significantly. I recommend one editing pass to try to at least fix the factual errors. The first problem I noticed was this: " a plague on the Internet email system, rendering it nearly useless." The phrase "rendering it nearly useless" is a factual error. Spam has done a great deal of damage to the Internet mail system -- made it _much_ more expensive to run, it has made it annoying, it has swaped solicited/desired traffic with unsolicited/undesired traffic, and it has basically destroyed the robustness principle. But it has not made email "nearly useless". Starting this document with a false statement greatly weakens an otherwise interesting analysis. Other factual errors: "These kinds of consent-based systems are used widely in presence and IM but not in email." Factually incorrect -- most email mailing lists use consent-based systems, including IETF mailing lists. "This is likely due to the need for a secure authenticated identity mechanism, which is a pre-requisite for this kind of solution." Email mailing lists provide a consent-based mechanism without a secure authenticated identity mechanism. They leverage the fact that it is quite difficult to intercept mail destined for a specific address. "Email does not have this kind of secure domain identification, although new techniques are being investigated to add it using reverse DNS checks (see below)." What about RFC 4871? "In email, there are no standards established for securely identifying the identity of the sending domain of a message." RFC 4871 is such a standard. Also SMTP STARTTLS could be used for inter-domain transfers (although deployment of the key infrastructure is likely impractical for this purpose at the moment). I also think it's very easy to fall into pitfalls when talking about spam absent an attack tree analysis of spamming. An attack tree looks at what kinds of spammers are out there and what their motivations are. I would put 3 nodes under the root of the spam attack tree: "pranksters", "commercial" and "organized international crime". Under "commercial", we have in-house and out-sourced UBE sub-nodes. An important sub-node of the organized international crime node is phising (very profitable and thus largely immune to costs). The anlaysis in this document applies well to the in-house sub-node of the commercial node. The analysis starts to fall apart on some of the other nodes in the attack tree. Examples of text which is too authoritative: "As a result, the problem of forged senders can be eliminated, making the white list solution feasible." The problem may be largely addressed, but it's not eliminated as there are always attacks that work (as a last resort, social engineering or coersion of the identity the attacker is forging). "Fortunately, it is possible to apply traditional content filtering systems to the header fields in the SIP messages, thus blocking these kinds of consent requests." Content filtering only partially blocks such requests. "Thus, if consent is required first, and nearly all users do not give consent to spammers, the value in sending spam is reduced" This varies based on the node in the attack tree, while true for commercial spam this is much less true for phishers. "One way to prevent spam is to make your address difficult or impossible to gather." This is a way to _reduce_ spam, not prevent it. "This technique has the potential to truly make it prohibitively expensive to send spam of any sort." It depends on how profitable the spam product happens to be. In the case of phishing, I doubt this statement is true. "Since spam is a consequence of untrusted domains and users that get connected to the network," Spam can be a consequence of a _trusted_ user who manages their Windows machine poorly. ;-)
Jari Arkko Former IESG member
Yes
Yes
(2007-05-24)
Unknown
> magntiude cheaper to send than traditional circuit-based telemarketer Typo
Jon Peterson Former IESG member
Yes
Yes
()
Unknown
Lars Eggert Former IESG member
No Objection
No Objection
()
Unknown
Lisa Dusseault Former IESG member
No Objection
No Objection
(2007-05-23)
Unknown
Section 3.2 on Black Lists and section 3.3 on White lists should mention zombie spam. Both blacklists and whitelists are problematic because spam can come from infected machines in domains, or from addresses, that we'd otherwise like to receive messages from. Zombies are mentioned elsewhere in the document but they're particularly harmful to blacklist and whitelist solutions. For that matter, reputation systems are quite undermined by zombies. It might be useful to point out that existing botnets can be quickly adapted to SIP -- a set of existing compromised machines can easily be given new code to send SIP spam. (Indeed, in section 3.9, the text reads as if whitelists are a solution to zombie networks which they're not, and botnets are also ignored in section 4.2.) 3.4: "Since most of today's IM systems are closed" -- I don't know what is meant by "closed"
Magnus Westerlund Former IESG member
No Objection
No Objection
()
Unknown
Mark Townsley Former IESG member
No Objection
No Objection
()
Unknown
Ron Bonica Former IESG member
No Objection
No Objection
()
Unknown
Ross Callon Former IESG member
No Objection
No Objection
()
Unknown
Sam Hartman Former IESG member
No Objection
No Objection
(2007-05-23)
Unknown
I've registered a no objection position. However there are a lot of statements in this draft that seem to ignore dkim. As far as I can tell dkim and sip identity are very similar solutions. I'm not sure that the advice here will work, but it does seem like the best advice I've read on the subject. There is a lot of good stuff here.
Tim Polk Former IESG member
No Objection
No Objection
(2007-05-22)
Unknown
Section 2.3 Presence Spam Unlike sections 2.1 (Call Spam) and 2.2 (IM Spam), there are no cost estimates. Since cost is used to estimate the likelihood of spam in the parallel subsections, it seems that cost should be addressed here as well. Section 3.8 Turing Tests 7th paragraph: I believe the cost should be .50 cents per test and per message, rather than 50 cents per test and message. 3.10 Payments at Risk Third paragraph: If the sender is allowed, the provider takes .64 cents rather than 64 cents. The total cost to the sender for a legitimate transaction should be 1.39 cents (.75 plus .64 cents). For ten new recipients per day, the cost would be $4.17 per month (assuming 30 days in the month). The remaining comments are from the SecDir Review by Donald Eastlake: This draft is a reasonably thorough review of potential "spam" problems with SIP and a survey of possible solutions including anti-spam recommendations. The Security Considerations section says merely This memo is entirely devoted to issues relating to secure usage of SIP services on the Internet. I'm fine with a very short Security Considerations section for this document, given its survey nature, but I don't think "secure usage" is really accurate. Maybe This memo is entirely devoted to issues related to the amelioration of spam in SIP and references a variety of security mechanisms in support of that goal. Also, at the end of section 3.4, in the paragraph split between pages 11 and 12, the possibility of automatically granting permission for a limited length IM for the purpose of examining the content of that IM and discarding it without bothering the user if it is judged to be spam, and maybe then blocking that sender for a while, appears not to be considered. ++++++++++++++++++ Editorial/trivia: "UAC" is used exactly once in this document. Suggest spelling it out. Several places "10s" -> "10 seconds". Last line of page 12, suggest "grant" -> "give" as "grant" has a connotation to me of giving something that is positive or favorable. Section 3.8, page 15, "processing an artificial" -> "processing and artificial". First line of the third paragraph in Section 3.8, delete the comma. Spell out IVR, at least the first time it is used. Section 3.8, third paragraph on page 16, "50 cents" -> "0.5 cents" twice. There are numerous occurrences of "TLS". I assume these are references to Transport Layer Security but this is never spelled out nor is there any RFC reference given for this. Spell out PSTN, at least the first time it is used. Section 5, first paragraph, second line, suggest deleting "identity of a". Section 6, "White Lists" paragraph, 3rd line, suggest deleting "of the". Thanks, Donald
Cullen Jennings Former IESG member
Recuse
Recuse
()
Unknown